This forum is now a read-only archive. All commenting, posting, registration services have been turned off. Those needing community support and/or wanting to ask questions should refer to the Tag/Forum map, and to http://spring.io/questions for a curated list of stackoverflow tags that Pivotal engineers, and the community, monitor.

Exception handling with custom authentication manager

Nov 24th, 2011, 12:23 AM

Hi,

I have implemented my own custom authentication manager. From the client application (Android app) I would like to retrieve a token for a userby using Resource owner password credentials authorization type. In case where wrong credentials are given I throw
UsernameNotFoundException exception in my custom UserDetailsService, but in my client app I do not get a proper error response. When I debugged the code I found OAuth2ExceptionHandlerFilter returns a RuntimeException as a result of DefaultProviderExceptionHandler
returning RuntimeException and due to this a proper response is not formed. Can you suggest me what I can do in this case?

The normal Spring Security ExceptionHandlerFilter should catch that exception and handle it in whatever way you specified in your <http/> configuration. If it doesn't, then it's possible your OAuth filter is in the wrong place in the filter chain. Look at the tonr sample to see how it is configured.

Comment

I have not specified anything in the security configuration file in the client side.I have directly done a POST request for retrieving the token as done in one of your Test classes. On the Service provider (sparklr) side I do get that exception but the error response is not passed properly to the client side. Instead it gives a 302 Temporarily Moved response status.

Comment

I'm confused about the client. You aren't using Spring Security OAuth2RestTemplate I guess? But that's not relevant.

On the provider the 302 is generated by the normal Spring Security ExceptionHandlerFilter - that is its default behaviour, so if you want something else you need to look at the standard Spring Security features I think, and it's nothing really to do with OAuth,